Welcome - Sharing information with the community related to Microsoft SharePoint security, information protection and permissions. Topics will also cover identity federation, claims and software development. Articles will at times be technical and focussed at developers/architects. They will also be higher level and discuss concepts and customer use cases. Have a look around, share your thoughts and I do hope you find some helpful content.

Follow me on Twitter @AntonioMaio2

Thursday, October 20, 2016

Synchronizing Custom AD Attributes to Office 365 - Part 1

Synchronization of identities has come a long way since the early days of DirSync. We've now seen 2 major releases of the latest generation sync tool, Azure AD Connect, and it has introduced a long list of new features. End of support for DirSync and Azure AD Sync are scheduled for April 13, 2017 (announcement).

If you're looking for a list of the benefits of upgrading to the latest version of AD Connect, please see my blog on that topic here: Why upgrade DirSync to Azure AD Connect. One of those great new features is the ability to synchronize directory extension attributes or even custom attributes from an on premise Active Directory environment to Azure AD within Office 365. This post is about some of the limitations still in place around custom attributes, and some suggestions on how to deal with them once they've been synchronized.

We run across cases where clients have customized the on premise AD schema to introduce new custom attributes. This is often due to some specialized business process or line of business application that needs to populate data for each individual user. Perhaps you have an HR app needs to populate an employee ID or some level of manager needs to be stored for each user so that other apps can make use of it. Personally, I prefer to use the built in AD extension attributes (extensionAttribute1, extensionAttribute2, ...extensionAttribute15) for this purpose because that's what they're there for, but some environments choose to create custom attributes. In many cases, when a client chooses to migrate to Office 365, these custom attributes and business processes have been in place for years, and changing those internal processes to use different, built-in attributes simply isn't practical. In addition, often they want a workflow in SharePoint Online or an Office 365 workload to make use of them.

There are 3 high-level steps we can use to accomplish this:

Configure AD Connect to Synchronize Custom Attributes

Retrieve Attributes in Office 365 Using PowerShell

Customize AD Connect Synchronization Rules

This blog is the second in a 3 part series that will discuss each of these steps in detail.

Step 1 - Configure AD Connect to Synchronize Custom Attributes

First, we need to upgrade to AD Connect and properly configure it to synchronize our custom attributes to Office 365.

1. You start by launching the AD Connect configuration wizard on your synchronization server. There should be an icon on the desktop of the server where AD Connect was installed.

2. If you installed AD Connect before you customized your AD schema, you'll need to refresh the AD Connect cache. AD Connect always uses a cache of the AD schema, which it created when it was first installed. You can refresh this cache by selecting the 'Refresh directory schema' option when you run the AD Connect configuration wizard. Select this option and then click Next.

4. Select the on premise domain for which you want to refresh the schema, and click Next.

5. Click Configure to update the connector and cached schema which is responsible for synchronizing the selected on premise AD domain to Azure AD. If you wish to start a fresh sync once this process is done then leave the 'Start the synchronization process when the configuration completes' checkbox checked. This may not be needed at this point since we're just refreshing the schema cache in our local AD connect so you can un-check the checkbox if you wish.

So far, all we've done is refresh the internal schema for AD Connect. The custom attributes are not yet synchronizing.

Next we need to configure AD Connect with the custom attributes we actually want to synchronize.

1. Now we re-launch the AD Connect wizard and select 'Customize Synchronization Options'.

3. Enter your on premise AD credentials. This is the Domain Enterprise Administrator for the domains you wish to synchronize.

4. Select the domain(s) you wish to synchronize or any OU filtering you wish to implement. If you're happy with your existing configuration just click Next.

5. In the Optional Features window, ensure that 'Directory extension attribute sync' is selected.

6. If the Azure AD Apps page appears, ensure that any previous settings you might have configured on this page are correct and click Next.

7. If the Azure AD Attributes page appears, ensure that any previous settings you might have configured on this page are correct and click Next.

8. When the Attribute Extensions page appears, find your custom attribute(s) in the Available Attribute list and click the right arrow to add them to the Selected Attribute list. The selected attributes list represents the custom attributes that will be synchronized to Azure AD within Office 365.

In my example here, we can see that I've extended my AD schema to include a custom attribute called MyCustomAttribute2 and I've selected that attribute to sync to Azure AD.

9. Click Configure to update the synchronization rules used by AD Connect for synchronizing the on premise AD attributes to Azure AD so that they now include the custom attributes you just selected. If you wish to start a fresh sync once this process is done then leave the 'Start the synchronization process when the configuration completes' checkbox checked. In this case I recommend you leave this checkbox selected and start a fresh sync.

About Me

Antonio Maio is an information security architect with over 25 years of experience in cyber security practices and systems, product management, software development and leadership. Antonio is currently a Senior Manager and Senior SharePoint Architect with Protiviti. He has been awarded a Microsoft Most Valuable Professional award for 5 consecutive years, from 2012 to 2016, specializing in Microsoft SharePoint Server, Office 365 and Office Services. His background includes implementing cryptography and PKI systems, information security technologies, and both information governance and cybersecurity best practices. His experience with Microsoft SharePoint and Office 365 extends over the last 10 years. When he’s not helping enterprise, military or government organizations solve security challenges, you can catch him speaking at conferences or contributing to the community through this blog. In his spare time, Antonio likes to oil paint, run, make wine, read and spend time with his family.